SB2026050588 - Multiple vulnerabilities in Grav CMS

Description

This security bulletin contains information about 14 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2025-66296)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in the Grav Admin user creation functionality when creating user accounts. A remote user can create a new account using the same username as an existing administrator account and set new credentials to escalate privileges.

The issue can result in takeover of an existing administrator account.

2) Path traversal (CVE-ID: CVE-2025-66295)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to overwrite arbitrary YAML files and modify other user accounts.

The vulnerability exists due to path traversal in the Admin UI user creation functionality when processing a username containing path traversal sequences during new user creation. A remote user can create a new user with a specially crafted username to overwrite arbitrary YAML files and modify other user accounts.

Exploitation requires the ability to create users through the Admin UI.

3) Observable Response Discrepancy (CVE-ID: CVE-2025-66307)

CWE-ID: CWE-204 - Observable Response Discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to enumerate valid usernames and disclose associated email addresses.

The vulnerability exists due to observable response discrepancy in the taskForgot() function of the Admin plugin login controller when handling password reset requests to /admin/forgot. A remote attacker can submit repeated password reset requests with crafted usernames to enumerate valid usernames and disclose associated email addresses.

Exploitation requires the password reset functionality to be enabled.

4) Path traversal (CVE-ID: CVE-2025-66302)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in the backup tool when processing user-supplied backup root folder paths. A remote privileged user can supply a crafted path to disclose sensitive information.

The impact depends on the privileges of the account running the application.

5) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-66306)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the /admin/accounts/users/{username} endpoint when handling requests for another user's account details. A remote user can send a request for another user's account page to disclose sensitive information.

Sensitive data may still be present in the response source even when the application returns an HTTP 403 response.

6) Inefficient regular expression complexity (CVE-ID: CVE-2025-66305)

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper regular expression handling in the Supported parameter of the Languages configuration in the admin/config/system endpoint when processing user-supplied input. A remote privileged user can submit a malformed Supported value to cause a denial of service.

The issue is triggered by malformed input such as a forward slash that causes a fatal regular expression parsing error during language resolution.

7) Improper access control (CVE-ID: CVE-2025-66297)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in Twig processing in page rendering when rendering a page with attacker-controlled Twig expressions enabled in frontmatter. A remote user can inject malicious Twig expressions into editable page content to escalate privileges.

For privilege escalation, the same non-admin user must also be logged in to the site frontend when the crafted page is visited.

8) Improper access control (CVE-ID: CVE-2025-66301)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Clear

The vulnerability allows a remote user to modify form processing actions.

The vulnerability exists due to improper access control in /admin/pages/{page_name} when handling crafted POST requests that modify data[_json][header][form]. A remote user can send a specially crafted request to modify form processing actions.

Exploitation requires the Admin and Form plugins to be installed.

9) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2025-66294)

CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary commands on the server.

The vulnerability exists due to improper neutralization of special elements used in a template engine in the cleanDangerousTwig method when processing user-supplied Twig expressions through form message handling. A remote user can submit a specially crafted Twig payload to execute arbitrary commands on the server.

Exploitation in the documented editor scenario requires the official Form and Admin plugins and was demonstrated by chaining with a separate broken access control issue to modify the form process section. It may also be exploitable without authentication if a form already exists that accepts user input and passes it through evaluate_twig.

10) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2025-66298)

CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side template injection in the Forms plugin form handling when processing crafted POST form submissions. A remote attacker can send a specially crafted POST request to disclose sensitive information.

The issue can expose Grav configuration details, including plugin configuration details.

11) Resource exhaustion (CVE-ID: CVE-2025-66303)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input validation in the admin panel scheduled_at parameter handling when processing crafted cron expression input. A remote privileged user can submit a specially crafted scheduled_at value to cause a denial of service.

The issue can render the admin panel non-functional, and recovery requires manual correction of the corrupted cron expression in the backup.yaml file.

12) Information disclosure (CVE-ID: CVE-2025-66304)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to exposure of sensitive information in the user account management section of the admin panel when handling requests to view user account details. A remote privileged user can inspect the page source to obtain password hashes and crack them to escalate privileges.

The password hashes of all users, including the admin user, can be exposed to an account with read access to user accounts.

13) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2025-66299)

CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements used in a template engine in the Twig sandbox implementation when processing malicious Twig template directives in editable pages. A remote user can inject crafted template directives to execute arbitrary code.

Exploitation requires permission to edit a page with Twig processing enabled, and the injected code may be triggered when the page is later accessed.

14) Improper access control (CVE-ID: CVE-2025-66300)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the Frontmatter form handling in /user/plugins/form/templates/forms/fields/display/display.html.twig when processing page content previews or published pages. A remote user can create or edit a form page with specially crafted frontmatter to disclose sensitive information.

The issue can expose arbitrary server files, including Grav account files that contain hashed passwords, 2FA secrets, and password reset tokens.

Remediation

Install update from vendor's website.

References

• https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm
• https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv
• https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7
• https://github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php#L349
• https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94
• https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg
• https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6
• https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6
• https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh
• https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f
• https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv
• https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997
• https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85
• https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x
• https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2